i've had a local SSL CA for my own porpoises for years, and this site did in fact provide https access with those non-globally-trusted certificates for a while now.

i haven't advertised this at all because subjecting every one of my few visitors to a 'warning - untrusted ca, dangerous connection, it's for the security!!!!' kind of crap experience is not my aim.

in the meantime let's encrypt has appeared on the scene, and it works sortakinda well - about as well as can be expected with the utterly untrustworthy 'trust' design that is X.509.

the pros for using let's encrypt are clearly that they (EFF, mozilla, akamai, cisco) had a bigger stick than CAcert and thus managed to beat all the browser vendors into shipping their root cert as trusted.

the cons are their disgusting certbot client ("trust me, i'll manage all of your box for you...just run this wget, chmod a+x and execute me as root!") and that the certs need refreshing every 90 days.

fortunately the protocol is pretty clear and heaps of people have written heaps of smaller/simpler/nicer implementations.

personally i like dehydrated, which is small and straightforward, doesn't need root rights, is written in plain bash (using curl and openssl), and which is trivially cron'able (with a few lines of wrapper to reload apache if and when a cert refresh has happened). it's also in debian.

after holding off on the ooh shiny new (beta) stuff for a while i've decided that it doesn't hurt to get userfriendly certificates from let's encrypt and to serve this site securely - naturally there are no sooopirsekrid wonders to be found here, but i detest snooping on principle. the less opportunities, the better.

hence, the implicit home page link with "/" is now redirecting to https. any more specific accesses, e.g. to "/index.html", are left as-is. (the rss feed isn't fully https-i-fied yet.)

[ published on Sun 04.03.2018 13:52 | filed in interests/crypto | ]
Debian Silver Server
© Alexander Zangerl